It's not news that shadow IT is a problem. It's been a problem ever since employees started bringing Apple and Osborne computers to the office in the 1970's to do their work. But nothing has accelerated the problem like the cloud, which removes almost all constraints on employees to bypass IT.

The Q2 Cloud Adoption and Risk Report from Skyhigh Networks looks at enterprises that attempted to address the problem of shadow IT, how they did it and how successful they were. The subjects were over 200 organizations, generally large ones in the Fortune 2000, across all major verticals - Education, Financial Services, Food & Beverage, Healthcare, High-Tech, Media, Oil & Gas, Manufacturing, Retail, and Utilities.

Skyhigh Networks sells a series of services for enterprises to manage access to outside cloud services. The service programs the organization's firewalls and proxies to enforce policy set by IT with the service. Usage data from the service provided much of the data used in the study.

Special Feature

Software as a Service offers irresistible benefits for organizations of all sizes — from cost savings to scalability to mobile accessibility. We offer guidance on avoiding the pitfalls of the cloud and choosing your SaaS partners well.

Shadow IT is a problem because it bypasses the IT staff who are responsible for protecting the security of enterprise IT resources and prevents proper enforcement of compliance with legal regulatory regimes, contractual obligations and other company policy.

Simply forbidding the use of outside services is a proven losing policy; employees don't use them to spite IT, they use them to help get their work done. If the company does not allow or provide tools, employees will find them elsewhere. This is why the most successful companies in the study were the ones which worked with employees to help them use outside cloud services in a secure and approved way.

In the study Skyhigh identified 3,816 unique cloud services in use, an average of 738 per organization. The majority of these services lack basic security features and only 9 percent, according to Skyhigh "... fully satisfied the most stringent requirements for data protection, identity verification, service security, business practices, and legal protection. Only 11 percent encrypt data at risk, only 16 percent provide multi-factor authentication, and only 4 percent are ISO 27001 certified." When surveyed in advance of seeing real usage data, IT typically believed the number of services in use is a small fraction of the real number.

As part of its service, Skyhigh says it rates over 8,000 cloud services for their level of risk, including an evaluation of the terms of service and the company's history of security incidents.

Skyhigh says that organizations used its service to manage the shadow IT problem in a variety of ways. Broadly speaking, IT can set policies for services that will:

Allow access

Allow but monitor access

Allow but educate users of service risks and acceptable use policy (notices to users explain risks)

Enforce read-only access

Block access and provide company-approved alternatives

These policies can be set specific to a service or based on the risk level.

According to Skyhigh, the third option, on the spot education of the user, was the most effective way to influence cloud usage. It provides an opportunity both to discuss the risks of various services and to offer an approved alternatives.

In the study, organizations were able to reduce the use of file sharing services by 97 percent. These are probably the riskiest of consumer services and the ones for which secure alternatives are most easily available. The other major findings were:

33 percent overall reduction in number of cloud services used

87 percent reduction in number of tracking services identified

83 percent increase in percentage of low risk services as compared to total services used

79 percent average reduction in volume of data sent to high-risk cloud services

50 percent average reduction in number of high-risk cloud services used

97 percent average reduction in data volume sent to high-risk file sharing services

78 percent average reduction in number of high-risk file sharing services used

There was also a 6 percent ($532,000) reduction in cloud service expenditures.

Thank You

By registering you become a member of the CBS Interactive family of sites and you have read and agree to the Terms of Use, Privacy Policy and Video Services Policy. You agree to receive updates, alerts and promotions from CBS and that CBS may share information about you with our marketing partners so that they may contact you by email or otherwise about their products or services.
You will also receive a complimentary subscription to the ZDNet's Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe from these newsletters at any time.